Skip to content

PG-2353: GitHub OIDC role for the PPG OL10 AMI factory#99

Merged
nogueiraanderson merged 1 commit into
mainfrom
PG-2353-gha-ppg-ami-factory-role
Jun 5, 2026
Merged

PG-2353: GitHub OIDC role for the PPG OL10 AMI factory#99
nogueiraanderson merged 1 commit into
mainfrom
PG-2353-gha-ppg-ami-factory-role

Conversation

@nogueiraanderson
Copy link
Copy Markdown
Collaborator

@nogueiraanderson nogueiraanderson commented Jun 4, 2026

Feature

  • Add the gha_ppg_ami_factory GitHub-OIDC role (via the github-oidc-role module) that the AMI-build workflow assumes, plus a pre-created egress-only builder security group.

Why

  • Lets the factory authenticate with no static keys and build over SSM Session Manager (no inbound SSH).
  • Least-privilege: SSM scoped to AWS-StartPortForwardingSession; RunInstances, terminate, and deregister gated on iit-billing-tag; no SG-mutation perms since the SG is pre-created.

Tickets

@nogueiraanderson
Copy link
Copy Markdown
Collaborator Author

nogueiraanderson commented Jun 4, 2026
edited
Loading

Apply notes

  • Apply in the CI build account where the factory bakes and the molecule jobs run (the token.actions.githubusercontent.com OIDC provider already exists there).
  • A ppg-ami-builder-ssm role + instance profile were created manually during end-to-end testing, so tofu apply will hit EntityAlreadyExists on that resource. Delete the manual pair or tofu import it before applying.
  • After apply, set the Percona-Lab/jenkins-pipelines repo secret PPG_AMI_FACTORY_ROLE_ARN to the ppg_ami_factory_oidc_role_arn output.
  • The OL10 vmimport role + import bucket are intentionally outside this module (one-time operator bootstrap via just bootstrap-ol10-prep). just ci passes locally (tofu validate: 4 resources valid).

This was referenced Jun 4, 2026
Open
Merged
@nogueiraanderson
feat(terraform): GitHub OIDC role for the PPG OL10 AMI factory
c8b516f 
- Add gha_ppg_ami_factory (github-oidc-role module) assumed by the AMI-build GHA workflow via OIDC, no static keys
- Trust the canonical Percona-Lab/jenkins-pipelines master ref only (StringEquals, no wildcard sub)
- Add the builder SSM instance profile + an egress-only no-ingress SG so Packer needs no SG-mutation perms
- Least-privilege EC2/AMI/SSM policy; Run/terminate/deregister fenced on iit-billing-tag + region; SSM scoped to AWS-StartPortForwardingSession
- Source the account id via data.aws_caller_identity; output the role ARN for the repo secret
@nogueiraanderson nogueiraanderson force-pushed the PG-2353-gha-ppg-ami-factory-role branch from 86b031b to c8b516f Compare June 4, 2026 21:01
@nogueiraanderson nogueiraanderson marked this pull request as ready for review June 5, 2026 12:10
@nogueiraanderson nogueiraanderson merged commit df0899a into main Jun 5, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nogueiraanderson